Use the Enable data at rest encryption wizard to enable encryption. The wizard opens when
you enable data at rest encryption for the first
time.
Before you begin
Enabling data at rest encryption requires a user with the
storage administrator role and a user with the security administrator role. See Managing secure user accounts.
A recovery key restores access to encrypted data if the key servers are unavailable. The security
administrator must create the recovery key (see Initiating a recovery key). The storage administrator uses the
Enable Encryption wizard to authorize the recovery key.
Ensure that at least two key servers are online, accessible, and synchronized. If you are using
an IBM®
Security Guardium Key Lifecycle Manager key server,
ensure that the key labels are available.
To enable encryption on a storage system using TKLM or SKLM, you must upgrade to one of the following
versions of TKLM or SKLM that has the Gen2 CA root installed:
- TKLM version 2.0.1 or later on Open Systems
- SKLM (all versions) on Open Systems
- SKLM version 1.1.0.2 or later on z/OS
Procedure
-
Log on to the storage system with the storage administrator role.
-
Click . On the Security page, select Data
at rest Encryption.
-
Click Enable Encryption to open the Enable data at rest encryption
wizard.
-
On the Key Server Type page of the encryption wizard, select the key
server type.
- On the Key Servers page, enter the host
names of the key servers where the encryption keys are located. Specify from 2 to 4 key
servers.
-
For IBM
Security Guardium Key Lifecycle Manager key servers,
define a key label. See Defining key labels.
- If you are using Transport Layer Security (TLS), use the
Key Server Certificates page to transfer the key server communication
certificates from the key server to the storage system.
-
On the DS8000 Encryption Communication Certificate page, export the
encryption certificate for the storage system. For more information about managing encryption
certificates, see Updating encryption certificates.
-
The actions on the Recovery Key page depend on the state of the recovery
key:
-
If the recovery key was configured and verified by the security administrator, confirm
authorization of the recovery key.
-
If the recovery key was disabled by the security administrator, confirm disablement of the
recovery key.
-
If the security administrator did not configure or disable the recovery key, finish the wizard
and contact the security administrator. Your settings are saved and you can return to the wizard
after the security administrator configures or disables the recovery key.
-
Click Finish to enable data at rest
encryption.